Subject:
|
Re: E-mail authentication during posting
|
Newsgroups:
|
lugnet.admin.nntp
|
Date:
|
Tue, 19 Jun 2001 07:40:20 GMT
|
Viewed:
|
657 times
|
| |
|
|
Hello Ross, hello everybody,
> > > If that won't work, how about making it so we can just reply to the email
> > > instead of going to the web page. I think I could create an auto-reply
> > > rule or something in my mail program that would make this automatic.
> >
> > This I can definitely do, but it will have to be at least somewhat
> > interactive so that someone doesn't accidentally cause a message to get
> > posted simply by replying. For example, you would probably have to reply
> > and then put an 'x' in a box or some other way of marking which of the
> > choices (post or delete) that you want to apply.
>
> And it'd have to be something that can't be easily automated by the poster -
> this defeats the scheme. I've seen some web pages which generate a bitmap
> containing a string which isn't easily scanned, and asks you to type the
> string in to authenticate. You could mail such a bitmap, and make the user
> type the string in the body of the reply, or something.
Can one of you set me straight: I assume the attacker has no access to my
email account. How could he, then, automate an email reply I have to send in
order to make my post valid?
As for a minimum amount of interactivity, I can probably live with that,
and, indeed, it is necessary to not let some authentication replies slip
through unnoticed. It would still be nice to combine that with some
mechanism that allows to authenticate a whole set of postings at once ...
Now, just to make sure we do not just discuss the potentially unfinished
odds and ends, let me try and summarize the situation as it is right now,
after the "lost messages" problem seems to be fixed. There are basically
three use cases, and there seems to be some consensus that, ideally, none of
them should require a cross media authentication solution:
- The Web interface
Everybody who uses this seems to be very happy with the solution
Todd worked out, because it is very well integrated, and therefore
almost invisible to legitimate users.
- The Mail Interface
Currently requires a cross media Web authentication scheme, which
could be enhanced to allow for bulk authorization. Of course, as
always, this means additional work ...
A potentially more user friendly solution could be the mail authent-
ication scheme discussed above. Again, this means work to be done ...
- The News Server
Currently requires the same cross media Web authentication scheme
as the mail interface. Also, since at least some of the News Server
users use a combined News/Mail Client, reusing the mail authentic-
ation scheme discussed above could be a viable option for them as
well.
Using the NNTP authorization scheme, while technically possible,
cannot ensure that legitimate users of the server can only post
with their own identity. Also, it would make it harder to just
read news (as opposed to read and post).
The PGP idea I brought up in one of my earlier postings may not be
adequate for every user, depending on their technical skills and
the level of PGP integration into their respective newsreaders.
Still, it seems to be the only possibility that promises one stop
shopping for NNTP users. I haven't seen much discussion about it,
especially no comment from Todd, so I am still not sure whether
this is technically feasible or not, and how much effort its
implementation might cost.
As a final word, let me thank Todd for the work he has already put into
this, and express my hope that the current discussion does not put too much
of an additional burden on him ...
Greetings
Horst
|
|
Message has 1 Reply:
 | | Re: E-mail authentication during posting
|
| (...) If you automate the reponse to the authentication e-mail, all I have to do is spoof your identity as Mad Hatter has done several times. Because the authentication gets sent to your email regardless of where I post from, and your response is (...) (23 years ago, 20-Jun-01, to lugnet.admin.nntp)
|
Message is in Reply To:
| | Re: E-mail authentication during posting
|
| (...) And it'd have to be something that can't be easily automated by the poster - this defeats the scheme. I've seen some web pages which generate a bitmap containing a string which isn't easily scanned, and asks you to type the string in to (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
15 Messages in This Thread:
 
 
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
